diff options
| author | Kerri Miller <kerrizor@kerrizor.com> | 2019-09-23 10:55:32 -0700 |
|---|---|---|
| committer | Kerri Miller <kerrizor@kerrizor.com> | 2019-10-09 10:47:45 -0700 |
| commit | 8395032721f6d6cb26126a5bffcb42984a240c07 (patch) | |
| tree | 875e37b4b88a3e207bd3f5a5a73cf78ce51b1daf /spec/support/controllers | |
| parent | 7e2b1008547d8ced97a30e96ac6fbc2b7ad32a7f (diff) | |
| download | gitlab-ce-8395032721f6d6cb26126a5bffcb42984a240c07.tar.gz | |
Avoid #authenticate_user! in #route_not_found
This method, #route_not_found, is executed as the final fallback for
unrecognized routes (as the name might imply.) We want to avoid
`#authenticate_user!` when calling `#route_not_found`;
`#authenticate_user!` can, depending on the request format, return a 401
instead of redirecting to a login page. This opens a subtle security
exploit where anonymous users will receive a 401 response when
attempting to access a private repo, while a recognized user will
receive a 404, exposing the existence of the private, hidden repo.
Diffstat (limited to 'spec/support/controllers')
| -rw-r--r-- | spec/support/controllers/sessionless_auth_controller_shared_examples.rb | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/spec/support/controllers/sessionless_auth_controller_shared_examples.rb b/spec/support/controllers/sessionless_auth_controller_shared_examples.rb index b5149a0fcb1..bc95fcd6b88 100644 --- a/spec/support/controllers/sessionless_auth_controller_shared_examples.rb +++ b/spec/support/controllers/sessionless_auth_controller_shared_examples.rb @@ -34,8 +34,15 @@ shared_examples 'authenticates sessionless user' do |path, format, params| context 'when the personal access token has no api scope', unless: params[:public] do it 'does not log the user in' do - expect(authentication_metrics) - .to increment(:user_unauthenticated_counter) + # Several instances of where these specs are shared route the request + # through ApplicationController#route_not_found which does not involve + # the usual auth code from Devise, so does not increment the + # :user_unauthenticated_counter + # + unless params[:ignore_incrementing] + expect(authentication_metrics) + .to increment(:user_unauthenticated_counter) + end personal_access_token.update(scopes: [:read_user]) @@ -84,8 +91,15 @@ shared_examples 'authenticates sessionless user' do |path, format, params| end it "doesn't log the user in otherwise", unless: params[:public] do - expect(authentication_metrics) - .to increment(:user_unauthenticated_counter) + # Several instances of where these specs are shared route the request + # through ApplicationController#route_not_found which does not involve + # the usual auth code from Devise, so does not increment the + # :user_unauthenticated_counter + # + unless params[:ignore_incrementing] + expect(authentication_metrics) + .to increment(:user_unauthenticated_counter) + end get path, params: default_params.merge(private_token: 'token') |